1 / 22

Cloud Computing Security Research

Cloud Computing Security Research. Shane Fry NSA September 28, 2011. Overview. Who am I? What is vulnerability analysis? What is the cloud? Who is the cloud? What are the security concerns? What are some malicious uses of the cloud?. Who am I?. What is Vulnerability Analysis?.

annis
Download Presentation

Cloud Computing Security Research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud Computing Security Research Shane Fry NSA September 28, 2011

  2. Overview Who am I? What is vulnerability analysis? What is the cloud? Who is the cloud? What are the security concerns? What are some malicious uses of the cloud?

  3. Who am I?

  4. What is Vulnerability Analysis? • Looking for vulnerabilities in software, hardware, or entire systems. • The goal: • Improve the security of hardware/software/systems • Create configuration guidance to mitigate vulnerabilities • Two kinds of vulnerability analysis • Black box • White box

  5. What is Vulnerability Analysis?

  6. Vulnerability Analysis Strategy

  7. Black box testing Easy No source code Tests boundaries between components Limited code coverage Reverse Engineer code to determine where the problem code is, and what is going wrong

  8. White box testing • Time consuming • Greater code coverage • Static source code analysis • Automated • Manual • Specific tests for suspected problem code

  9. Grey box testing • Uses both White box and Black box techniques: • Fuzzing • Reverse Engineering • Source code analysis

  10. What do you think the cloud is?

  11. NIST Definition On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service [2]

  12. NIST Definition Visual Model of NIST Working Definition of Cloud Computing http://www.csrc.nist.gov/groups/SNS/cloud-computing/index.hml Essential Characteristics Delivery Models Deployment Models [6]

  13. What is the cloud? • Storage • Cheap • Distributed • Automated backups • Computing • Cheap • Scalable • No infrastructure to manage • Usually both are employed

  14. Who is the cloud? [7]

  15. Security Concerns What do you think the security concerns are when using the cloud?

  16. Security Concerns • Data center location • Network perimeter security • Packet replay attacks • Information disclosure • Infrastructure security • Patch process • Underlying protocol security

  17. Security Concerns • Physical security • Backup location • File scrubbing • Persistent data storage • VM Images • VM Image Security • OS Security • Known good state • Modified base image

  18. Cloud Architecture

  19. Malicious Use WPA cracking [4] Password cracking [5] DDoS attacks [3] Botnets [3]

  20. Questions?

  21. References • http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf • http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf • http://www.defcon.org/images/defcon-18/dc-18-presentations/Bryan-Anderson/DEFCON-18-Bryan-Anderson-Cloud-Computing.pdf • https://www.wpacracker.com • http://stacksmashing.net/2010/11/15/cracking-in-the-cloud-amazons-new-ec2-gpu-instances/ • http://2.bp.blogspot.com/_hnCtHg5syTo/S-QY0NuPrrI/AAAAAAAAAKk/yHswSLD0fQk/s1600/NIST+Cloud.jpg • http://blogs.southworks.net/mwoloski/files/2008/08/posterservices.png

  22. THE DECISIVE ADVANTAGE

More Related